lartc@manchotnetworks.net
2003-Aug-30 16:44 UTC
policy routing on locally generated packets; application routing; -- much better with iptables-1.2.8-8.80.2
hello,
just a quick note after the thread concerning source ip selection on
locally generated packets, etc.
quick schema
+------------------------------+
lan_a ---> | eth0 alice eth1 | ----> isp_a
| |
+------------------------------+
here''s alice''s ifconfig
eth0 191.168.0.254/24
eth1 192.168.1.254/24
eth1:1 192.168.1.100/24
here''s alice''s default routing table:
192.168.0.0/24 dev eth0 scope link
192.168.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
after installing iptables-1.2.8-8.80.2 on redhat-8.0, icmp protocol is
being handled as one would expect if the following script is used:
#mark locally generated packets in OUTPUT
#and snat them later in POSTROUTING
iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2
iptables --append POSTROUTING --table nat --match mark \
--mark 0x2 --jump SNAT --to-source 192.168.1.100
whereas the previous version of iptables was not using the --to-source
address for icmp, it is working now (i haven''t checked why yet -- i had
built it myself). so tcp/udp/icmp are perfect. expressions in the mangle
table (uid/gid/pid/) are fully supported, therefore it is now possible
to policy route/snat on a user, group or application ... very cool.
the only exception for the moment is arp -- it will use the source
address as defined in the default routing table.
concering the src ip address selection for arp, there is a patch/thread
very recently discussed at:
http://marc.theaimsgroup.com/?l=linux-kernel&m=106141566718585&w=2
cheers & thanks to all
charles
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/